With regard to payment initiation services, Article 36(1)(b) of the Commission Delegated Regulation 2018/389, which largely reproduces Article 66(4)(b) of PSD2, states that the account servicing payment service provider (ASPSP) shall, immediately after receipt of the payment order, provide payment initiation service providers (PISPs) with the same information on the initiation and execution of the payment transaction provided or made available to the payment service user (PSU) when the transaction is initiated directly by the latter. Hence, the ASPSP shall, immediately after receipt of the payment order, provide the name of the payer (the PSU) to the PISP via the dedicated interface if the name is included in the information on the initiation and execution of the payment transaction provided or made available to the PSU when the transaction is initiated directly by the latter.

Notwithstanding the above, PISPs have to comply with the requirements under Article 66(3)(f) and (g) PSD2.

With regard to account information services, Article 36(1)(a) of the Delegated Regulation states that the ASPSP shall provide account information service providers (AISPs) with the same information from designated payment accounts and associated payment transactions made available to the PSU when directly requesting the access to the account information, provided that this information does not include sensitive payment data. Article 4(32) PSD2 states that for the activities of PISPs and AISPs, the name of the account owner does not constitute sensitive payment data. Hence, the ASPSP shall provide the name of the payment account owner (the PSU) to the AISP via the dedicated interface if the name is made available to the PSU when directly accessing his account information.

Notwithstanding the above, AISPs have to comply with the requirements under Article 67(2)(f) PSD2.

This is without prejudice to PISPs’ and AISPs’ obligations under Directive (EU) 2015/849 (4th Money Laundering Directive).

* The answer to the Q&A presented here was amended by a Directorate General of the Commission on 20/12/2019, to respond to new factual elements that have been provided by market participants since the publication of the original answer on 25/01/2019, which required additional clarity to be provided to achieve the aim of a consistent implementation of PSD2 and Commission Delegated Regulation (EU) 2018/389 (the RTS on SCA&CSC).

Application Programming Interfaces (APIs) should foresee the possibility of providing the name of the payer in case this information is required for delivering payment initiation services or account information services. Article 66 (3)(f) PSD2 states that the payment initiation service provider (PISP) shall not request from the payment service user any data other than those necessary to provide the payment initiation service. Article 66 (3)(g) PSD2 further states that the PISP shall not use, access or store any data for purposes other than the provision of the payment initiation service as explicitly requested by the payer.

A PISP should therefore be able to justify that obtaining the name of the payer is necessary for the provision of the payment initiation service as explicitly requested by the payer.
Article 67 (2)(f) PSD2 states that the account information service provider (AISP) shall not use, access or store any data for purposes other than for performing the account information service explicitly requested by the payment service user, in accordance with data protection rules. The AISP should therefore be able to justify that the name of the payment account holder is necessary for the account information service requested by the account owner.

As regards the question whether the name of the payee or a beneficiary list can be displayed, please see the answer to Q&A 2018_4128.
It follows from the above, that the ASPSP shall cater for the possibility in the access interface, e.g. an Application Programming Interface (API), to provide or make available the name of the payer/ payment account holder in order not to create obstacles for PISPs and AISPs, if the latter can justify to the NCA that the name is necessary for the provision of their services.

Article 4 (32) PSD2 states that for the activities of PISPs and AISPs the name of the account owner does not constitute sensitive payment data. This, however, is not relevant for the question whether the ASPSP can or shall provide the name of an account holder. The fact that the name of the account owner is not considered sensitive data only has as a consequence that Article 66 (3)(e) PSD2 and Article 67 (2)(e) PSD2 on requesting and storing sensitive payment data do not apply.

The above PSD2 provisions are fully in line with Article 5(1)(c) of the General Data Protection Regulation (GDPR) on the principle of data minimisation and Article 6(1)(b) on the legal basis for the processing (performance of a contract).

Disclaimer:

This question goes beyond matters of consistent and effective application of the regulatory framework. A Directorate General of the Commission (Directorate General for Financial Stability, Financial services and Capital Markets Union) has prepared the answer, albeit that only the Court of Justice of the European Union can provide definitive interpretations of EU legislation. This is an unofficial opinion of that Directorate General, which the European Banking Authority publishes on its behalf. The answers are not binding on the European Commission as an institution. You should be aware that the European Commission could adopt a position different from the one expressed in such Q&As, for instance in infringement proceedings or after a detailed examination of a specific case or on the basis of any new legal or factual elements that may have been brought to its attention.